1. Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh

2. Dan Boneh Establishing a shared secret Bob Alice Goal: Alice and Bob want shared secret, unknown to eavesdropper For now: security against eavesdropping only (no tampering) eavesdropper ?? This segment: a different approach

3. Dan Boneh Public key encryption E E D D AliceBob

4. Dan Boneh Public key encryption Def: a public-key encryption system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m ∈ M and outputs c ∈ C D(sk,c): det. alg. that takes c ∈ C and outputs m ∈ M or ⊥ Consistency: ∀ (pk, sk) output by G : ∀ m ∈ M: D(sk, E(pk, m) ) = m

5. Dan Boneh Semantic Security For b=0,1 define experiments EXP(0) and EXP(1) as: Def: E = (G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: Adv SS [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible Chal. b Adv. A (pk,sk)  G() m 0, m 1  M : |m 0 | = |m 1 | c  E(pk, m b ) b’  {0,1} EXP(b) pk

6. Dan Boneh Establishing a shared secret AliceBob (pk, sk) G() “Alice”, pk choose random x ∈ {0,1} 128

7. Dan Boneh Security (eavesdropping) Adversary sees pk, E(pk, x) and wants x ∈ M Semantic security ⇒ adversary cannot distinguish { pk, E(pk, x), x } from { pk, E(pk, x), rand ∈ M } ⇒ can derive session key from x. Note: protocol is vulnerable to man-in-the-middle

8. Dan Boneh Insecure against man in the middle As described, the protocol is insecure against active attacks AliceBob MiTM (pk, sk) G() “Alice”, pk (pk’, sk’) G() choose random x ∈ {0,1} 128 “Bob”, E(pk’, x)“Bob”, E(pk, x)

9. Dan Boneh Public key encryption: constructions Constructions generally rely on hard problems from number theory and algebra Next module: Brief detour to catch up on the relevant background

10. Dan Boneh Further readings Merkle Puzzles are Optimal, B. Barak, M. Mahmoody-Ghidary, Crypto ’09 On formal models of key exchange (sections 7-9) V. Shoup, 1999

11. Dan Boneh End of Segment